Ge#ng&started&with&ModSecurity&Ge#ng&started&with&ModSecurity&...
Transcript of Ge#ng&started&with&ModSecurity&Ge#ng&started&with&ModSecurity&...
Ge#ng&started&with&ModSecurity&
Lightning&Training&–&AppSec&USA&2015&
&
Luca&Care@oni&–&lcare@[email protected]&
Mukul&Khullar&–&[email protected]&
&
Training Goal
• AGer&this&training,&you&will&be&able&to&tune&and&deploy&ModSecurity,&use&available&rule&packages&
and&write&simple&custom&rules&
• From&there,&you&will&be&equipped&to&explore&
addiNonal&advanced&ModSecurity&topics&such&as:&
– Persistent&storage&– Lua&rules&engine&– XML&parsing&
– ….and&more&
What is Required
• Oracle&VM&VirtualBox&
• Download&the&VM&from&the&Lab&Wifi&Network&
Network&Name:&owaspmodsec*Network&Password:&nointernetheregoaway&*h2p://192.168.1.2/owaspmodsec.ova*MD5&(owaspmodsec.ova)&=&
6f838d64b5946a6e7c6d7e0a25653465*
What We Use
• Apache&HTTPd&• ModSecurity&2.9&
• OWASP&ModSecurity&CRS&
• Damn&Vulnerable&Web&ApplicaNon&
Introduction
• The&OpenSource&Web&ApplicaNon&Firewall&
h@ps://www.modsecurity.org/&
&
• “ModSecurity&is&a&toolkit&for&realhNme&web&
applicaNon&monitoring,&logging&and&access&
control”&–"Ivan"Ris*c"
Deployment Usage
• Logging*and*monitoring*– ModSecurity&gives&you&the&ability&to&log&raw&HTTP&traffic&
• Virtual*patching*– ModSecurity&can&be&used&to&block&HTTP&requests&based&on&
flexible&and&extensible&rules&set&
• Data*leakage*safety*net*– ModSecurity&can&also&block&HTTP&responses&to&prevent&
data&leakage&
• Hardening*– ModSecurity&can&reduce&the&a@ack&surface&by&limiNng&
specific&HTTP&types,&headers&and¶meters&
Deployment&Scenarios&
Embedded*with*the*WS* Reverse*Proxy**
Request&
Apache&HTTPD&
ModSecurity&
Request&
Apache&HTTPD&
ModSecurity&
Web&Server&(e.g.&Nginx)&
Forward&
!&We&use&this&mode&
PreparaNon&For&Labs&1/3&
Is&your&virtual&machine&up&and&running?&
&
Login&with:&
User:&owasp"Password:&owasp"
PreparaNon&For&Labs&2/3&
We&have&already&installed:&
• Nginx&on&port&8888/tcp,&localhost&only&• Apache&(reverse&proxy)&on&port&80/tcp&and&
443/tcp&
PreparaNon&For&Labs&3/3&
Nginx&is&hosNng&a&broken&web&app&(DVWA)&
• Open&Firefox&and&visit&h2ps://owaspmodsec/dvwa/*
• Username:&admin,&Password:&password"• Verify&DVWA&Security&se#ng&
&
&
&
Lab1&h&Install&
$&sudo&dnf&install&mod_security&
ModSecurity&can&be&compiled&from&source&
code,&or&simply&installed&via&OS&packages&
• It’s&2015.&Let’s&use&the&binary&package&
Lab2&–&Exploring&the&default&config&
$&less&/etc/h@pd/conf.d/mod_security.conf&&
$&sudo&nano&/etc/h@pd/conf.d/mod_security.conf&
&
&SecDebugLogLevel&0&"&SecDebugLogLevel&3&
…&
SecDebugLog&/var/log/h@pd/modsec_debug.log&
SecAuditLog&/var/log/h@pd/modsec_audit.log&
&
$&ls&/etc/h@pd/modsecurity.d/&
&
Let’s&have&a&look&at&the&default&
configuraNon&files&and&directories:&
Lab2&–&Exploring&the&default&config&
$&sudo&systemctl&restart&h@pd&
$&sudo&tail&hf&/var/log/h@pd/error_log&
&
…&
[Sat&Jun&13&21:46:20&2015]&[noNce]&ModSecurity&for&Apache/
2.7.3&(h@p://www.modsecurity.org/)&configured&
…&
&
AGer&restarNng&Apache&HTTPd,&let’s&verify&
that&ModSecurity&is&properly&enabled…&
• It&works,&but&there&are&no&rules&yet!&
Lab3&–&Write&your&first&rule&
$&sudo&nano&/etc/h@pd/modsecurity.d/acNvated_rules/
firstrule.conf&
&
SecRule&ARGS_GET_NAMES&"name"&"id:'1',phase:
2,log,deny,status:503"&
We&want&to&create&a&rule&to&block&pages&
containing&the&HTTP&GET¶meter&
“name”&
• In&DVWA,&visit&the&XSS&Reflect&exercise&
• What&do&you&expect&to&see?&
Lab3&–&Write&your&first&rule&
Lab3&–&Write&your&first&rule&
$&sudo&nano&/etc/h@pd/conf.d/mod_security.conf&
&
&&SecRuleEngine&On&"&SecRuleEngine&DetecNonOnly&
&
$&sudo&systemctl&reload&h@pd&
$&sudo&tail&hf&/var/log/h@pd/error_log&
$&sudo&tail&hf&/var/log/h@pd/modsec_audit.log&
Let’s&experiment&a&bit&more&with&our&rule&
• Enable&detecNon,&instead&of&blocking&• Change&the&HTTP&Status&Error&• Use&ARGS&and&a®exp&definiNon&
Lab4&–&Install&OWASP&ModSecurity&CRS&
$&git&clone&h@ps://github.com/SpiderLabs/owasphmodsecurityhcrs&
$&sudo&mv&owasphmodsecurityhcrs/&/etc/h@pd/modsecurity.d/&
$&sudo&su&h&
&
#&cd&/etc/h@pd/modsecurity.d/&
#&cp&owasphmodsecurityhcrs/
modsecurity_crs_10_setup.conf.example&
modsecurity_crs_10_setup.conf&
&
The&project&provides&pluggable&rules&to&
detect&common&web&vulnerabiliNes&
• Let’s&see&how&to&use&them:&
Lab4&–&Install&OWASP&ModSecurity&CRS&
#&for&f&in&`ls&owasphmodsecurityhcrs/base_rules/`&;&do&ln&hs&/
etc/h@pd/modsecurity.d/owasphmodsecurityhcrs/base_rules/
$f&acNvated_rules/$f&;&done&
&
#&for&f&in&`ls&owasphmodsecurityhcrs/opNonal_rules/`&;&do&ln&h
s&/etc/h@pd/modsecurity.d/owasphmodsecurityhcrs/
opNonal_rules/$f&acNvated_rules/$f&;&done&
&
#&ls&hauhl&acNvated_rules&
#&systemctl&reload&h@pd&
#&tail&hf&/var/log/h@pd/error_log&
&
Lab4&–&Install&OWASP&ModSecurity&CRS&
$&sudo&nano&/etc/h@pd/conf.d/mod_security.conf&
&
&&SecRuleEngine&DetecNonOnly&"&SecRuleEngine&On&
&
$&sudo&systemctl&reload&h@pd&
Restart&your&browser,&and&login&in&DVWA&
• What’s&happening?&
• Look&at&the&logs.&Which&rules&are&
triggered?&Why?&
Lab5&–&Tune&OWASP&ModSecurity&CRS&
$&sudo&nano&/etc/h@pd/conf.d/mod_security.conf&
&
Include&modsecurity.d/disabled.conf&
&
$&sudo&nano&/etc/h@pd/modsecurity.d/disabled.conf&
&
SecRuleRemoveById&900046&
&
$&sudo&systemctl&reload&h@pd&
&&
It’s&Nme&to&tune&the&rules&for&our&web&app&
Lab5&–&Tune&OWASP&ModSecurity&CRS&
$&sudo&nano&/etc/h@pd/modsecurity.d/disabled.conf&
&
<LocaNonMatch&/vulnerabiliNes/xss_r/>&
&&&&&SecRuleRemoveById&981143&
&</LocaNonMatch>&
&
$&sudo&systemctl&reload&h@pd&
&
&&
Check&the&logs&again.&SNll&see&a&warning?&
&
&
&
&
&
&
&
Now,&try&again…&
Lab5&–&Tune&OWASP&ModSecurity&CRS&
Time&to&experiment&with&real&vulnerabiliNes&
Lab5&–&Tune&OWASP&ModSecurity&CRS&
It’s&working!&&
&
Let’s&experiment&a&bit&more&with&the&following&
exercises:&
• SQL&InjecNon&• CrosshSite&Request&Forgery&
• Is&it&blocking?&Why?&
• Command&ExecuNon&
• Does&it&work?&
Lab5&–&Tune&OWASP&ModSecurity&CRS&
Command&ExecuNon&exercise&
• A@ack&payload:&127.0.0.1"&&"ls"• Returns"403"
• A@ack&payload:&127.0.0.1;"ls"• Woot!"Bypass?"
Lab5&–&Tune&OWASP&ModSecurity&CRS&
$&cd&/etc/h@pd/modsecurity.d/&
$&sudo&nano&acNvated_rules/whitelist.conf&&
&
SecRule&ARGS:ip&"!^[\d\.]+$"&"id:'2',phase:2,block,msg:'Host&is¬&IP&address’"&
&
$sudo&systemctl&reload&h@pd&
Let’s&write&a&rule&to&allow&IP&addresses&only&
• PosiNve&security&model&(whitelisNng)&
Try&again.&What’s&happening?&
Lab6&–&Setup&a&custom&Error&Page&
$&sudo&nano&&/etc/h@pd/conf/[email protected]&
&
ErrorDocument&403&"<html><body&bgcolor=
\"#FF0000\"><h1>ModSecurity&is&here!&Go&away...</h1></
body></html>”&
&
$&sudo&/etc/init.d/h@pd&restart&
Default&error&pages&are&boring.&Be&creaNve!&
Lab7&–&PrevenNng&data&leakage&
$&sudo&nano&mod_security.conf&
&
SecResponseBodyAccess&Off&"&SecResponseBodyAccess&On&
&
&$&sudo&nano&acNvated_rules/custom_info_leak_block.conf&&
&
SecRule&RESPONSE_BODY&"@rx&<Ntle>phpinfo\(\)</Ntle>"&&"id:'1234',phase:
4,log,block,t:none,msg:'PHP&phpinfo()&output&detected’”&
&
$&sudo&systemctl&reload&h@pd&
Let’s&see&how&to&block&PHP’s&phpinfo()&output&
• A@ackers&can&leverage&this&page&for&info&gathering&
• We’re&building&a&system&to&prevent&data&leakage&
Lab8&–&ImplemenNng&Rate&LimiNng&
$&sudo&nano&acNvated_rules/global_rate_limiNng.conf&&
&
<LocaNonMatch&"^/">&
&&SecAcNon&initcol:ip=%{REMOTE_ADDR},pass,nolog,id:12345&
&&SecAcNon&”id:12346,phase:5,deprecatevar:ip.somepathcounter=1/1,pass,nolog"&
&&SecRule&IP:SOMEPATHCOUNTER&"@gt&60"&”id:12347,phase:2,pause:300,deny,status:
509,setenv:RATELIMITED,skip:1,nolog"&
&&SecAcNon&”id:12348,phase:2,pass,setvar:ip.somepathcounter=+1,nolog"&
&&Header&always&set&RetryhAGer&"10"&env=RATELIMITED&
</LocaNonMatch>&
&
$&sudo&systemctl&reload&h@pd&
&
h@p://johnleach.co.uk/words/1073/ratehlimiNnghwithhapachehandhmodhsecurity&
&
Lab8&–&ImplemenNng&Rate&LimiNng&
$&��sudo&rm&/etc/h@pd/modsecurity.d/acNvated_rules/modsecurity_*&
$&sudo&systemctl&reload&h@pd&
&
$&while(true);&do&Nme&curl&hs&hk&h@ps://owaspmodsec/dvwa/&;&done&
&
real &0m0.113suser&0m0.018ssys &0m0.030s&
…�&
real &0m0.411suser&0m0.017ssys &0m0.028s&
&
&
Let’s&test&this&rule…&
That’s all for today
From&here,&you&can&learn&something&new&everyday&&
&
As&an&example:&
• Use&ModSecurity&to&idenNfy&vulnerabiliNes&or&
misconfiguraNons&in&your&web&applicaNon&
– Detect&missing&CSRF&tokens,&XhFramehOpNons&header,&
Improper&ContenthType,&…&
– IdenNfy&pages&with&excepNon&stack&traces&– Setup&email&alert&once&a&rule&is&triggered&(using&exec)&
References
• ModSecurity&Reference&Manual&
– h@ps://github.com/SpiderLabs/ModSecurity/wiki/
ReferencehManual&
• ModSecurity&Handbook&
– h@ps://www.feistyduck.com/books/modsecurityh
handbook/&